A newly discovered Cryptoming campaign called Drive-by Cryptomining targeted million of Android user to mine Monerocoins and this campaign Started around November 2017 using different type of malicious domain.
A Malicious lucrative Payload’s are distributing from a particular hacking group that mainly abusing android users device to mine the Monero Cryptocurrency.
Past few year Crypto currency mining is a very easy method for cyber criminals to Generating the huge revenue by hijacking the Web- browser and injecting the malicious script and taking control of the CPU Usage from the Victims.
Drive-by Cryptomining is an automated process without user interaction, it drives into victims device and silently processing its mining operation.
How Does this Drive-by Cryptomining Redirecting Users
In this case, when users visiting the attacker website, it provides fake notification that claimed as “your device showing suspicious surfing Behaviour” and gives a CAPTCHA to solve in order to prove that they aren’t bots and user urged to resolve the ON.
Researchers analyzing the code behind of this operation revealed that, it redirects to google page and make users believe that they are not a bot.
According to Malwarebytes, It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner.
There are many domains that use the same CAPTCHA code to mine Menero and the very first domain was registered on Nov 2017.
Domain name, registration date
- recycloped[.]com 2017-11-22
- rcyclmnr.com 2017-12-01
- rcylpd[.]com 2018-01-03
- rcyclmnrepv[.]com 2018-01-17
- rcyclmnrprd[.]com 2018-01-17
- rcyclmnrhgntry[.]com 2018-01-22
Apart from this few domains traffic are rising extremely high within a short period of time and each domain daily visitors estimated as 8,00,000 visitors per day and more than 30 Million visitors per month.
“It is difficult to determine how much Monero currency this operation is currently yielding without knowing how many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month”. Malwarebytes said.
Indicators of compromise
rcyclmnr.com rcylpd[.]com recycloped[.]com rcyclmnrhgntry[.]com rcyclmnrprd[.]com rcyclmnrepv[.]com
Referring websites (please note that they should not be necessarily considered malicious):
panelsave[.]com offerreality[.]com thewise[.]com go.bestmobiworld[.]com questionfly[.]com goldoffer[.]online exdynsrv[.]com thewhizmarketing[.]com laserveradedomaina[.]com thewhizproducts[.]com smartoffer[.]site formulawire[.]com machieved[.]com wtm.monitoringservice[.]co traffic.tc-clicks[.]com stonecalcom[.]com nametraff[.]com becanium[.]com afflow.18-plus[.]net serie-vostfr[.]com pertholin[.]com yrdrtzmsmt[.]com yrdrtzmsmt.com traffic.tc-clicks[.]com
Conhive site keys:
gufKH0i0u47VVmUMCga8oNnjRKi1EbxL P3IN11cxuF4kf2kviM1a7MntCPu00WTG zEqkQef50Irljpr1X3BqbHdGjMWnNyCd rNYyUQUC5iQLdKafFS9Gi2jTVZKX8Vlq